attacked by hotmail??

[johnnymier]

Hello: Today I started msn messenger and few seconds later I got an attack detected by Norton Internet Security. Here are some details from my log files:

Details: Rule "Default Block Bla Trojan horse" stealthed (e450.voice.microsoft.com(64.4.12.200),1042)
Inbound UDP packet
Local address,service is (jagermeister(192.168.1.8),1042)
Remote address,service is (e450.voice.microsoft.com(64.4.12.200),7001)
Process name is "C:\Program Files\MSN Messenger\msnmsgr.exe"

Results from whois 64.4.12.200:

OrgName: MS Hotmail
OrgID: MSHOTM
Address: One Microsoft Way
City: Redmond
StateProv: WA
PostalCode: 98052
Country: US

NetRange: 64.4.0.0 - 64.4.63.255
CIDR: 64.4.0.0/18
NetName: HOTMAIL
NetHandle: NET-64-4-0-0-1
Parent: NET-64-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.HOTMAIL.COM
NameServer: NS3.HOTMAIL.COM
NameServer: NS2.HOTMAIL.COM
NameServer: NS4.HOTMAIL.COM
Comment:
RegDate: 1999-11-24
Updated: 2003-06-27

TechHandle: MSFTP-ARIN
TechName: MSFT-POC
TechPhone: +1-425-882-8080
TechEmail: [email protected]

OrgAbuseHandle: ABUSE231-ARIN
OrgAbuseName: Abuse
OrgAbusePhone: +1-425-882-8080
OrgAbuseEmail: [email protected]

OrgTechHandle: MSFTP-ARIN
OrgTechName: MSFT-POC
OrgTechPhone: +1-425-882-8080
OrgTechEmail: [email protected]

# ARIN WHOIS database, last updated 2004-07-30 19:10
# Enter ? for additional hints on searching ARIN's WHOIS database.

What could this be?? My guesses:

1. Regular traffic between msn messenger and hotmail and my firewall picked it up as an attack.

2. Real attack from someone spoofing hotmail's IP.

What is the supposed trojan that is being used to attack me? Any guesses if this was just a port scan or something more dangerous? What can be exploited in UDP port 1042?
I know I am asking too many questions but I am very curious to know what this is about.

cheers,
J

[Spyder32]

My guess is either option two or someone is using an MSN trojan horse application on you and it just show's up on Microsoft. Disallow that connection and see what happens although chances are MSN messenger will shut down. Also, download and run swatit from SwatIt.org and work from there.

[albn]

It could be MSN Messenger sending a packet via UDP on the same port the trojan horse uses thus alarming you.

But Google showed MSN Messenger Application uses

http://support.microsoft.com/default...b;en-us;324214

Incoming voice (computer to computer) 6901 6901
Voice (computer to phone) 6801, 6901, 2001-2120
File transfer (receiving a file) 6891-6900

via UDP, however, it is showing it as port 7001 UDP... were you doing file tranfers, voice?

Jack

[johnnymier]

Hi, I haven't had any subsequent attacks of this type. Thats good. It was probably just a Script Kiddie.
FYI: I have googled for udp port 1042:

http://www.aroundtownnc.com/security...ter_ports.html

Turns out that port is used by the BLA trojan:

http://securityresponse.symantec.com...la.trojan.html

Spyder: I will run swatit and see if it finds anything.

cheers,

J

[Tiger Shark]

Johnny: You also have to be aware that Intrusion Detection Systems are prone to false positives. The rule that appeared to have been contravened may look like this:-

alert udp EXTERNAL_NET 7001 -> HOME_NET any (msg:"Default Block Bla Trojan horse"; flow: to_server, established; content: "1234567890"; etc........)

Yes, I know, thats a Snort rule.....

But if the rule doesn't specify such things as offsets within the packet then something as silly as MSN giving you a session ID of 1234567890 would trigger the rule at some point in the conversation.

The fact that it happened only once would reinforce the potential for a false positive.

[The Duck]

I have heard of swatit and I was thinking of downloading it. Is swatit compatible with other software like spybot, adaware, avast! AV, etc?

Reading the Norton's website on that bla trojan I read this:

Causes system instability: Blue warning screens are displayed every time the computer is restarted

Does this happen to you? If not then it probably is a false positive IMHO.

[johnnymier]

TS: I reckon you are right. This attack has not happened again and when it did it was when MSN started, so probably it was just regular traffic picked up by my IDS.

thnx everybody for your input,

J